One predefined attack within the critical attack group is tiggering and blocking traffic. I have created an exempt rulebase for this one attack. It now is not dropping the traffic or showing up in the attack table, but i'm unable to still log alerts from this attack because the exempt rulebase doesn't allow the " THEN " option like normal IDP rule options.
How can I make this one attack not block and still alert ?
I have removed the exempt rulebase, and made another IDP rule within the IDP policy and just matched this one attack with alert and no action. But as soon as the second rule in the IDP policy matches the crititcal attack group it matches again and blocks.
The IDP rulebase doesn't work like a normal firewall rulebase that terminates by default on a match. It will traverse through the policy and it can match multiple criteria. It takes the most severe action and uses that on a multimatch. The only way to get this to work in the way you are looking for is to move the rule to the top of the rulebase, and to make it a terminal rule. So that once it matches it stops processing in the IDP rulebase.
edit the specific rule, and "set terminal" to make it a terminal rule.